Mozilla SSL policy bad for the Web
Posted by Nat Tuck
Mozilla Firefox 3 limits usable encrypted (SSL) web sites to those who are willing to pay money to one of their approved digital certificate vendors. This policy is bad for the web. Not only does it make users less secure overall by reducing the number of encrypted connections, it damages the basic principle of equality among web participants.
The problem is this: When a Firefox 3 user visits an encrypted web site with a self-signed certificate or a certificate signed by an unapproved (new or non-profit) provider, Firefox doesn’t show the page. Instead, it shows a scary "you are being hacked"-style warning that requires 4 clicks and an "add an exception" dialog box to bypass.
The warning looks like this:
This behavior means that a public web site basically can’t be encrypted unless they are willing to pay an approved vendor a yearly fee for a certificate. This has two effects: First, some sites are forced to pay for certificates that they otherwise wouldn’t have bought. Second, some sites are forced to go without encryption that they otherwise would have had.
SSL has two effects: First, it allows connections to be encrypted so they can’t be snooped. Second, it allows sites to be authenticated so they can’t be impersonated.
Proponents of Mozilla’s policy tend to ignore the first effect and focus on the second effect - correctly stating that a self-signed certificate has no value for authenticating a web site (unless the certificate is authenticated out-of-band by hand). This ignores the value of simple encryption. Snooping a connection (i.e. on a wireless link) is much easier than any of the impersonation attacks that SSL authentication prevents.
Now, it’s an interesting question as to exactly what the user interface should show for a self-signed website. Obviously it shouldn’t show a green address bar like the new (extra high price, major corporation only) EV certificates. But there is absolutely no excuse for it to be significanly less inviting to a normal user than an unencrypted site.
This is really an issue of the basic principles of internet openness. Everyone has equal access to the features of HTTP or SSH, there’s no reason why there should be artifical constraints on access to HTTPS. But that’s exactly what the Firefox SSL behavior does.
For bandwidth, the basic princple of internet equality is called Network Neutrality. When ISPs have threatened it, suggesting that Google (for example) should pay them for "fast lane" preferred treatment at the expense of smaller internet participants, there has been a massive uproar from those who value this principle of equality.
There should be an equally massive uproar about Mozilla’s SSL policy. Encrypted connections may not be as immediately visible as poor quality streaming video or VoIP sound quality, but it’s similarly important. Dividing the web into a "fast lane" of commercial entities willing to pay and a "slow lane" of hobbyists and non-profits who get unusable service is bad for the internet in either case.
Mozilla is Free/Open Source. Antifeatures like the SSL policy shouldn’t be a problem - users can simply remove them if they’re bothered that much. Unfortunately, that’s not good enough in this case. A webmaster doesn’t just need his web browser to work correctly, he needs the web browser of every site visitor to work correctly.
For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.
Related Links:
—
Addendum (2008/Aug/4)
A comment on Slashdot complained that I was ranting with no solution. So here’s one of the many possible solutions to this problem:
Mozilla could change the Firefox UI so that sites with unknown certificates (self signed + unknown CA) had a white title bar, no lock icon anywhere, and a yellow info bar at the top "This site cannot be authenticated…". Clicking on the info bar would bring up a dialog where that certificate could be added to a "known certificates" list. If a known certificate later changed, Firefox would give a more serious SSH style warning.
—
Addendum 2 (2008/Aug/24)
A couple of interesting approaches to this problem have been proposed.
- Giuseppe Scrivano of GNU IceCat is interested in implementing the best possible certificate behavior.
- Dan Wendlandt at CMU is working on a project to help against MITM attacks on self-signed certificates.
You’re 100% correct about the problem, but I think there is a better solution.
I’m amazed that google or yahoo or msft does not offer a public certificate authority. Self signed certificates are obviously as safe and commercial ones with the same encryption level. I like the idea of an external certificate authority.
You can of course be your own CA: http://www.davidpashley.com/articles/cert-authority.html
but that’s more steps for the users. Why not have a phlanthropic CA run by, oh, I don’t know, the Mozilla Foundation!!! (or someone else). Then I as a self-signer can upload my certificate to them. They do the busy work of verifying the certificate. Firefox then would accept certificate from that site automatically. Safari would follow immediately, and IE would come around.
You see where I’m going here. Heck – maybe there’s even money in this idea? I’d pay $5/year to have my certificate authorized…Because that’s about what it’s really worth to me.
There is a monopoly on certificates because the browser makers allow for there to be one. Get rid of the monopoly, and prices will become reasonable.
The system shouldn’t changed to fit the misunderstanding of those who use it.
Authentication and Encryption are two entirely different and unrelated things.
Certificates accomplish Authentication. Authentication requires a validated hierarchy of authority. That’s why there are no self-made drivers’ licenses, self-made passports, self-made social-security number, etc. You get the point.
Encryption in HTTPS does require a certificate but it need not be one which accomplishes authentication. (You already said this, I’m just repeating it for completeness and because we’re in agreement).
The question is “When Mozilla Firefox sees a certificate which does NOT properly authenticate, what should it do?”
Obviously the Firefox developers have elected to notify the user that there is no proper authentication. There is no way the software can technologically separate Site A (self-signed cert) with Site B (phisher site, pretending to be someone else, self-signed cert) or Site C (DNS Cache poisoning redirect host, self-signed cert). The software can therefore do one of three things:
The software clearly does #2. Which would you rather it do?
Ehud
Ehud -
The software is clearly doing #3 - Denying the user access to the site. You can bypass this default, but the UI is explicitly designed to make it so that non-expert users will never do so.
Assuming that a self-signed certificate is an attack in progress is silly. A valid certificate could be an attack in progress - either a mistyped or phished URL with a valid certificate or a mis-issued certificate combined with DNS spoofing.
Restricting the HTTPS protocal to only centrally authorized websites is not a good security / freedom trade off.
Firefox 3 is hardly new. There’s always been some annoying dialog that you had to deal with when you went to a self-signed certificate site.
I guess the point is: if the data is so sensitive that it needs cryptography, shouldn’t you know who you are talking to? The two purposes of HTTPS encryption you list aren’t really seperate.
Mozilla is trying to protect people who don’t understand the difference between authentication and encryption. And frankly, they made the right decision. Firefox is not just for the tech-savvy.
The problem, I think, lies not with Mozilla, but with the fact that there are apparently no free CAs. That’s not their fault. Identity verification requires time and resources, so somebody’s gotta pay, I guess.
Comparing this to net neutrality is pretty silly, though. You can get a basic cert for $80/year. That’s less than most hosting plans.
There are free cert signings available, just look through the pre-approved list that comes with Mozilla.
There are also cheap ones, but you’re essentially paying for nothing as I see it, since SSLs aren’t at all secure. PKI only works with a web of trust, since you can’t trust central authorities.
I’ve seen plenty of phishing sites that use valid SSL certs. SSL cert is more about who has money and less about identity.
There is also the concept of a web-of-trust. This gets around the hierarchy problem. I mean, while you can’t make your own drivers license, it is possible that it’s a fake. I mean, for $100 how much verification will a CA do? What if that CA is in the fussiness of signing phisher certs?
A web of trust basically says that, if enough people say you’re “Joe Blow” and you’re honest, then there is a high degree of chance that it’s correct. Notice the probability factor here?
However, Nat, this is for you:
Your vehemence on this issue is over blown and doesn’t consider the overwhelming ignorance of the great unwashed web masses. If people had enough common sense to not send their life savings to Nigeria, we wouldn’t even be discussing this.
Do you honestly believe that those same people are capable of sorting out the difference between “Encrypted” and “Authenticated”?
This whole “power to the people” argument you make by comparing to net neutrality is absurd. You CAN add an exception (as you noted). It IS a pain-in-the-ass (as you have also noted). So, stating that is cannot be done is incorrect. Stating that the average net user can’t do it is correct but directly contradicts your argument of granting power to the people.
If they don’t know enough to grant an exception then they are not qualified to be doing it.
Now, to address the one valid point I believe you have: defaulting to disallow self-signed certs prevents that class of websites from operating. I offer this question in respond: How would you suggest the Mozilla foundation distinguish between a self-signed phishing site and a lazy/ignorant/cheap/poor website owner? Perhaps the website owners need to take the step of getting an entry level cert? Hackers an the web play for keeps and Amateur hour is over.
If you can’t stand up a secure website, then you’re asking to be hacked. There is no guaranteed human right to stand up a web page.
Sorry, I don’t buy the “net neutrality” part of it. If you can afford a couple of bucks a month for a hosting account that allows you to set your own SSL cert up (which therefore requires a dedicated IP) you can stump up the $14 it costs for something like rapidssl.
If you can’t, well, obviously encyption isn’t that important to you.
Hello
While I think your general point is a decent one. I think the idea that most users won’t use the website (gmail or yahoo mail come to mind) is unlikely. I suspect these users, knowing the value of their e-mail, will click the OK button to whatever is necessary in order to get to it. I do agree, however, that the two issues you raise should be treated as two issues:
I would like to see certificates (and all the fuss related to them), remain the way it is now. I would like to see #2 to be treated from a security stand point as, “we hope you have already established the authenticity of this site, but whether you have or not you should know that they are offering an encrypted/secure connection which is a good security measure”
Yeah, I think we have started getting into the messages which contain Zero Extremism. There is no net neutrality issue here. Also there are “philanthropic” sites that will give you a cert. Microsoft, and Firefox both allow you to bypass these security windows and continue on to the site. While both tend to give the user a “scary” windows for there protection I know it is required. Since you can simply continue on to the website there is no issue at hand to discuss, well not the one you have brought to the table. I believe several other browsers inform the user that the self signed certs are dangerous. While it is annoying one can get themselves verified and avoid this process. If you are doing business you should be able to spend 300-600 on a 9 year cert for your website. Or spend the 12-30 a year and do it for your ‘business’ The key here is if your not a business and you have a secure section of your website your users are/should be educated enough to understand or might you consider a different solution for what your doing? I know i feel insulted if a business has SSL and it has not gone through the process of finding a CA to create a verified cert.
When a web browser restricts the use of an entire protocal (and the encrypted web protocal at that) to pre-approved web sites it’s absolutely worth calling them out over the social issue here.
Now, I agree that the social issue can be viewed separately from the security issue, but dismissing any consideration of social issues as extremism is really lame.
Ehud said
“Encryption in HTTPS does require a certificate”
Blatantly false no matter how much Verisign and others would you like to believe otherwise.
SSL and TLS are just the transport layers and all they need is some kind of asymmetric cipher to swap a private key so they can change to a symmetric chiper.
DiffeHellman allows you to do this, and both browsers and servers support it as far as I’m aware and there is no certificate involved but there is still encryption.
The downside is you could be man-in-the-middle proxied, but most attacks don’t hit the intertubes they go for end points either servers or the user end so encryption in and of itself regardless of any certificate is both do-able and useful, you don’t always need to know who is on the other end, after all how many usernames and passwords do you type into http pages, surely they are worth protecting with some level of encryption to beat passive attackers.
While even small businesses might very well be able to justify buying certificates, what about someone doing their families website, they only want to allow certain people access to view picts so they password it, but that isn’t always secure either.
If you have a self-signed certificate, how do you protect from a man-in-the-middle encryption attack?